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Apparatus and methods of authenticating 
users in a distributed networked computing 
system (10). The system (10) may comprise a 
central server (12) embodiment that includes a 
file (19) wherein IDs and encrypted passwords 
(30) are stored, or a distributed system embodi- 
ment where IDs and encrypted passwords (30) 
are stored In files (19) at each respect ve com- 
puter in the system (10). A multiple logon pro- 
cedure (16) and secure transport layer protocol 
are used with a user's communication software 
and network communication software. When a 
user desires to use a particular computer (13), 
logon requests are processed by the multiple 
logon procedure (16) and it accesses the stored 
file (19) that contains the user's ID anc encryp- 
ted password, decrypts the password (30). ac- 
cesses the remote computer (13), and logs the 
user onto that computer (13). in thei central 
server system all IDs and encrypted passwords 
(30) are stored on a single computer (trie server 
(12)) that controls access to the entire distri- 
buted system (10). Once access is granted to a 
particular user, nonencrypted passwords (30) 
are transmitted to the remote computars (13), 
Blnce the server (12) controls the entire- system. 
In the distributed version, password lUes (19) 
are stored In all networked computers (13), and 
once a user logs on to a computer (11), if the 
user wishes to use services at a second com- 
puter (13), the authentication Information is 
forwarded to the second computer (13) using 
the secure transport layer protocol to protect Its 
integrity, and after receiving the authentication 
information, it Is compared with authentication 
information for the same user stored in the 
second computer (13). If the authentication in- 
formation matches, the user is logged onto the 
second computer (1 3). 
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BACKGROUND 

The present invention relates generally to distrib- 
uted computer systems, and more particularly, to si lo- 
gon system and method for use with distributed iind s 
networked computer systems. 

The prior art relating to controlling user access in 
a distributed processing environment is to request 
users bo separately log on to each computer that pro- 
vides needed services. This practice has many draw- 10 
backs. The user must remember many passwords, if 
passwords are different on each computer. Pass- 
words transmitted in the clear (without security) nay 
easily picked up by others. Repeated logon requests 
are inconvenient to the user. The use of a bypass 15 
scheme by the user to speed up the process could 
also increase the security risk to the system. 

More specifically, in a distributed processing en- 
vironment, a user must repeatedly provide user iden- 
tification (ID) codes and passwords to gain acces s to 20 
various services located throughout the system. For 
instance, a user must log on to a workstation, then log 
on to new computers whan new services are neec ed. 
The repetition of these logon sequences is very in- 
convenient for users. Moreover, if user passwords are 26 
not Che same on all computers in the system, us.ers 
must remember many different passwords. To red iice 
the possibility of using a wrong password, the user 
might write them down (perhaps posted somewhere 
close to the workstation). This is not a secure prac- so 
Uce. in addition, a user who is in a hurry to obtain in- 
formation from a particular resource may not wish to 
go through the repeated logon process. He or she 
may find ways to bypass the security procedures 
used in the system, which creates a system w«tak- 3$ 
ness. Another weakness is that to logon remotely, 
the user ID cede and password must be transmtted 
to the remote computer. Without a secure path from 
the user's workstation to the remote computer, siny- 
one having access to the system could use a network 40 
analyzer to discover the password of the user. 

Legion Technologies Corporation has a logon 
productknown aTPX The TPX product is a IBM main- 
frame product for a processing environment known as 
MVS/VM. It provides automated logon to MVS ses- 4$ 
sions. after an initial authentication to the and sys- 
tem. The user contacts the host computer and is au- 
thenticated. The host computer contains an access 
list of users and services, and grants access based on 
this list Only the host computer needs to be modified so 
and failures are localized to one host computer. How- 
ever, this Implementation Is a homogeneous solution, 
with very limited communications available between 
IBM host servers (TELNET 3270). Itis also a relatively 
expensive architecture to implement ss 

Another approach is known as the Kerberos «ys- 
tem. In this system, a Kerberos server is provided and 
the user and an application on the host computer au- 



thenticate themselves to the server. The user soft- 
ware requests an authentication token from the host 
application, and both the hosts and user authentica- 
tion tokens are sent to the server. The server re- 
sponds with a token only readable by the user and 
host computer. The contents of the token is used to 
protect the data throughout the duration of he con- 
nection. This system provides for authentication at 
the application level, and provides for key distribution 
mechanism. However, this system requires a host 
server application modification. The server makes 
possible a single point failure mode. Also, a large Ini- 
tial transaction time Is required. 

It is therefore an objective of the present inven- 
tion to provide a safe and user-transparent method 
and means for authenticating users In a distributed 
computing system that does not require special pur- 
pose hardware development 

SUMMARY OF THE INVENTION 

In order to provide for the above and other objec- 
tives and features, the present invention provides for 
a system and method of authenticating users in a dis- 
tributed computing system. The present Invention in- 
cludes a file stored at a predetermined location, such 
as a file server or workstation, that includes each 
user ID and encrypted passwords for each computer 
of the system. The user passwords stored in the file 
are encrypted prior to storage. Any convenient en- 
cryption algorithm may be employed, such as by us- 
ing the well-known NSA standard encryption algo- 
rithm. 

The present Invention includes a multiple logon 
procedure that com prises a firmware or software rou- 
tine that is used in the communication protocol of the 
system between a communication software program 
on a user's computer and a network communication 
software program on each of the other computers in 
the system. The present invention employs a secure 
transport layer protocol that permits secure file trans- 
far between computers of the distributed system. 
Thus when a user desires to use a particular comput- 
er, such as a remote database, for example, a request 
Initiated by the user Is processed by the multiple lo- 
gon procedure which accesses the stored file that 
contains the user ID codes and encrypted passwords, 
accesses the remote computer, and then enters the 
user's ID code and password for that computer. This 
is done automatically, and the process is transparent 
to the user and other users of the system. In essence, 
the remote computer interacts with the multiple logon 
procedure and its user ID code and password file, the 
multiple logon procedure decrypts the encrypted 
password for the particular requested computer and 
logs the user onto that computer using the ID code 
and decrypted password. 

The present invention thus requires each user to 
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log onto the distributed computing system only a sin- 
gle time and allows the user to access ail available 
computers connected to the network. Several ver- 
sions of the present invention are provided and in- ff 
elude a system having a central server on which the 
IDs and encrypted passwords are stored, and a •dis- 
tributed system where IDs and encrypted passwords 
are stored at each respective computer in the system. 

In operation, upon completing a single logon pro- 10 
cedure at the user's workstation, the user is not re- 
quired to provide his ID code or password again when 
services are needed from another computer wilhin 
the same distributed system, A unique feature of the 
centra! server system of the present invention are is 
that all IDs and encrypted passwords are stored cm a 
single computer which controls access to the ertlre 
distributed and networked system. Once access is 
granted toa particular user, nonencrypted passwords 
are transmitted to the remote computers, since the 20 
server provides for control of the entire networked 
system. Unique features of the distributed system of 
the present Invention are that (1) the same password 
files are stored in all networked computers in the sys- 
tem, (2) once a user logs onto one computer, if the 25 
user wishes to use services at a second computer In 
the system, the authentication information is for- 
warded to the second computer by using a secure 
transport layer protocol for protecting its integrity, and 
(3) after it is received, the authentication information 30 
is compared with authentication information for the 
same user stored in the second computer. If the au- 
thentication information match bs, the user is auto- 
matically logged onto the second computer. 

With the one-time logon system and method of ss 
the present invention, a user only needs to logon to a 
single workstation. Afterward, authentication infor- 
mation Is forwarded by the secure communication 
protocol to other networked computers where tneir 
secure protocols automatically log the user onto to 
those computers. The authentication information 
transmitted In the network is protected by the secure 
protocol and communication path to prevent others 
from recording the authentication information for later 
logon attempts, to prevent others from Impersonating *s 
another user, and to guarantee the integrity of the au- 
thentication information. 

The present Invention Is useful with any net- 
worked systems where a user has access to resourc- 
es located on remotely located computers. To protect so 
these resources from unauthorized access, user 
must authenticate himself before access attempts are 
permitted. Because the authentication system and 
method of the present invention requires the usa of 
end-system to end-system protection, a secure tn ins- 55 
port layer protocol may be employed. 

The present invention is very robust and may be 
easily configured to work with mainframes and work- 
stations by simply registering a user at the multiple lo- 



gon server. The present invention thus provides a 
safe and user-transparent method to authenticate 
users in a distributed computing environment 

BRIEF DESCRIPTION OF THE DRAWINGS 

The various features and advantages of the pres- 
ent invention may be more readily understood with 
reference to the following detailed description taken 
in conjunction with the accompanying drawings, 
wherein like reference numerals designate like struc- 
tural elements, and in which: 

Fig. 1 illustrates a portion of a distributed comput- 
er system that employs a one-time logon system 
and method in accordance with the principles of 
the present Invention that Is embodied in a cen- 
tral multiple logon server; 
Fig, 2 ehowe an example of a typical user com- 
puting session utilizing the computer system of 
Fig. 1 employing the system and method of the 
present invention; 

Fig. 3 shows a flow chart of a processing method 
in accordance with the principles of the present 
invention; and 

Fig. 4 Is Illustrates a second embodiment of a dis- 
tributed computer system that employs the sys- 
tem and method of the present invention. 

DETAILED DESCRIPTION 

Referring to the drawing figures, Fig. 1 illuetrates 
a portion of a distributed computer system 10 that em- 
ploys the multiple logon aspects of the present inven- 
tion that is embodied in a central multiple logon server 
12. The distributed computer system 10 includes a 
user workstation 11 , such as a personal computer, for 
example, the multiple logon server 12, and a remote 
host computer 13. The user workstation 11, multiple 
logon server 12, and remote host computer 13 are in- 
terconnected by way of a network 20. 

The user workstation 11 includes various soft- 
ware and firmware programs, and in particular has a 
user application program 14. such as a terminal emu- 
lator program that is routinely used by the user. Ae 
part of the software running on the user workstation 
11, a communication protocol such as TCP-IP stack 
15 is used to connect each of the processing nodes 
(workstations 11 and host computers 13) together. In 
accordance with the principles of the present Inven- 
tion, a multiple logon protocol 16 (software interrupt 
routine) Is "Inserted" between the user application 
program 14 and the TCP-IP stack 15. The multiple lo- 
gon protocol 1 6 forms part of the TCP-IP stack 15. As 
a consequence, the user application program 14 does 
nothavB to be modified, A server application program 
17 and server TCP-IP stack 18 are provided as part 
of the multiple logon server 12. The server applica- 
tion program 17 le employed as an interface to a da- 
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tabase 19, for example, stored on a disk drive 21 at- 
tached to the server 12. The database 19 stores the 
ID codes and encrypted passwords. The remote host 
computer 1 3 also includes a remote responder appll- s 
cation program 22 and an associated host TCP-IP 
stack 23, that permits the user workstation 11 to in- 
terface with the remote host computer 13. 

Fig. 2 shows an example of a typical user com- 
puting session utilizing the computer system 10 of to 
Fig. 1 employing the present Invention. A local user 
operates the workstation 11 and enters the appropri- 
ate user ID and password 30. Communication be- 
tween the workstation 11 and a multiple logon server 
12 Is established and authentication of the user ID 
and password is attempted and if correct authentica- 
tion is achieved. This permits an open session to oc- 
cur wherein the user may use software programs iand 
services provided by the multiple logon server 1 3. At 
a later time, If the user desires to log onto a remote 
host 13, the the user ID and password stored on the 
server 12 are employed to log onto the remote host 
13. This is done automatically by means of the com- 
munication software located on the workstation 11, 
the server 12. and the remote host computer 13. Ac- 
cordingly, access to the remote host computer 13 is 
obtain without the additional requirement of Inputting 
a user ID and password of the remote host computer 
13. 

Rg. 3 shows a detailed flow chart of a processing 
method 40 in accordance with the principles of the 
present invention that is implementable In the work- 
station 11, the server 12, and the host computer 13 
of the computer system 1 0 of Fig. 1. The relevant por- 
tions of the processing method 40 that are used in 
each of these computers are identified within an ap- 
propriate dashed box (11, 12, 13) The appropriate ac- 
tion of the user (USERP) or the multiple logon proce- 
dure (MLP) of the present invention are identified. 
Other identifiers are indicated and will be described 
below. 

At the workstation 11. the user initiates a request 
41 , such as a TELNET request, for example, for iser- 
vlces provided by the remote host computer 1 3. Ai;er- 
vlce authorization request 42 (SARQ) is generated 
and transmitted to the server 12 using the communi- 
cation software package running on the workstation 

11 and the server 12. A decision is made in the server 

12 (in decision box 43) whetherthe user's connected 
to the multiple logon server 12. If the user is connect- 
ed, then authorization Information comprising an au- 
thorization massage is sent 44 back to the multiplo lo- 
gon procedure In the workstation 11 which analyzes 
45 the transmitted message, and sends a sendee 
connect request 46 to the remote host computer 13. 
The remote host computer 13 then accepts the re- 
quest 47 and connects the user workstation 11 to it 
Once connection is made, data exchanged between 
the workstation 11 and remote host computer 13 are 



a function of the specific transmission protocol used 
by the software applications running on each com- 
puter. Then the remote host computer 1 3 requests en- 
try of a user ID and password 48 from the workstation 
11. The multiple logon procedure then sends the ap- 
propriate user ID and password 49 to the host com- 
puter 13. Once service is connected 50, a host com- 
puter session is established 51, and the host remote 
computer 13 is able to provide the requested services 
to the workstation 11. 

If at decision box43 it is determined that the user 
workstation 11 is not yet connected to the multiple lo- 
gon server 12. then an authorization request 52 
(SARE) Is made to the workstation 11. The authori- 
zation request 52 is processed by the multiple logon 
procedure 16 which retrieves 53 the appropriate user 
ID and password from the database 19 and sends 54 
a connect request (MCRQ) to the server 12. The ser- 
ver 12 In turn sends 55 the connect request (MORE) 
to the workstation 11. The connect request (MORE) 
is then processed by the multiple logon procedure 16 
to determine if the request should be accepted (box 
56). If the request Is accepted, the multiple logon pro- 
cedure 16 loops back to the send service authoriza- 
tion request box 42 to wait for a new request If the re- 
quest Is not accepted, the multiple logon procedure 
16 rejects 57 the user and loops to the entry point 
waiting for the user to initiate an appropriate service 
request 

Fig. 4 is illustrates a second embodiment of a dis- 
tributed computer system 10a that employs the sys- 
tem and method of the present invention. The system 
10a eliminates the multiple logon server 12 of Fig. 1 
and incorporates a secure communication path 20a 
as part of the network 20 that connects a secure user 
workstation 11 to the remote host computer 13. In op- 
eration, at the user workstation 11, a user enters a 
user identification (ID) code and password 30 In order 
to tog onto the workstation 11. Apassword encryption 
routine 31 is employed to encrypt the password 30. 
The ID code and encrypted password 30 are com- 
pared against the ID code and encrypted passwords 
stored in the workstation 11. The routine 31 employs 
a database 19a containing the user IDs and encrypt- 
ed passwords that are used for comparison to the ID 
and password 30 entered by the user. 

Upon entry of the correct ID and password 30, 
access to the workstation 11 is granted. A secure 
communication software program 32 is provided that 
Interfaces to the remote host computer 13 over the 
secure communication path 20a. A similar secure 
communication software program 35 Is provided on 
the remote host computer 13. A logon routine 33 Is 
provided that requests the remote host computer 13 
to log the user onto the remote hostcomputer 1 3. The 
logon routine 33 communicates with an authentica- 
tion routine 34 on the remote host computer 13 that 
authenticates and logs the user onto the remote host 
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computer 1 3 upon receipt of the appropriate request 
This routine 24 employs a database 19b containing all 
user IDs and encrypted passwords that are used for 
comparison to the ID code and password 30 forw<ird~ q 
ed over the secure communication path 20a. 

The presentsystem and method requires that the 
computers in the distributed processing environment 
use substantially the same one-way encryption algo- 
rithm for encrypting passwords. An individual user is 10 
assigned a single password for the entire system 10. 
The encrypted password for the user la the same on 
ail computers in the system 10. After the user suc- 
cessfully logs onto one computer, such as the work- 
station 11 1 the encrypted password Is transmitted by 16 
a secure transfer protocol 22 to the remote host com- 
puter 13 where, if the received ID code and encrypted 
password matches the ones stored at the remote host 
computer 13. the user Is automatically logged on. The 
specific sequence of events required to implement 20 
the presentsystem and method are as follows. 

The user initially logs on to Che workstation 11 by 
providing his identification (ID) code and password. 
The procedure 31 operating in the workstation 11 en- 
crypts the password and compares it to the encn/pt- 25 
ed passwords stored in the database 19a. If they are 
the same, user is logged onto the workstation 11. 
When the user wishes to access information stored In 
the remote computer 13, the procedure 33 requests 
the secure communication procedure 32 to initiate a so 
communication protocol session with the secure 
communication procedure 35. Both procedure 33 and 
procedure 32 are located within the workstation 11, 
which is a secure computer. Hence, only the auiho- 
rized users can utilize this secure communication 35 
path 20a The secure communication protocol 35 Is in 
the remote computer 1 3 which is also a secure com- 
puter. The secure communication protocol must offer 
protection from the workstation 11 (secure computer) 
to the remote computer 13 (secure computer). For ax- to 
ample, a transport layer security protocol based on 
the ISO Draft International Standard well-known to 
those in the secure communications field may be 
used for this secure communication service. 

After the secure communication path 20a has as 
been established, the procedure 33 transmits the 
identification (ID) code and encrypted passwonl of 
the user to the authentication procedure 34 in the re- 
mote computer 13. The authentication procedure 34, 
in the remote computer 11 allows the user to loci on so 
from the remote workstation 11. The authentication 
procedure 34 compares the encrypted password for 
the user with the one stored In the database 14 cou- 
pled to the remote computer 13. If they are the same, 
the user is permitted to log onto the remote compjter $$ 
13. 

One specific embodiment of the present system 
1 0 corresponding to Fig. 1, for example, may include 
a multiple logon procedure (MLP) server 12, l:hat 



stores the user ID codes and encrypted passwords 
and implements the MLP processing routine, that is 
hosted on a SUN Sparcstatlon 1+ running SUNOS 
4.1.1. For this implementation, the MLP server 12 
may run as a daemon in a C-shell environment The 
host computer 13 (Sparcstation 1+) has an operation- 
al TCP/IP protocol installed. 

An application Interface program library (MLP 
API) is used that obtains authentication information 
(user ID codes and passwords) from remote comput- 
ers other than the MLP server 12. These libraries 
may be developed and compiled for numerous com- 
puters, including a SUN computer running SUNOS 
4.1.1, compiled with K&R compilers available on the 
SUN operating system, as a C library; an IBM/PC 
computer running a DOS operating system, using a 
Borland C++ 3.0 compiler, as a DOS library; a NEXT 
computer running a MACH operating system, com- 
piled with Objective C as an object-oriented Interface; 
and a Macintosh computer running System 7.0, com- 
piled with a Think C Compiler, as a Think C library. 

The present invention is most useful in a distrib- 
uted computing environment where many services 
are located on separate computers connected by a 
network. For example, a user may log on to a work- 
station. When the use of a file server, electronic mail, 
or directory server is required, the user can access 
the information without logging onto each of the com- 
puters that provide those services. 

Thus there has been described a new and Im- 
proved Logon system and method for use with distrib- 
uted and networked computer systems. It is to be un- 
derstood that the above-described embodiment Is 
merely Illustrative of some of the many specific em- 
bodiments which represent applications of the princi- 
ples of the present invention. Clearly, numerous and 
other arrangements can be readily devised by those 
stalled in the art without departing from the scope of 
the invention. 



Claims 

1. A distributed computing system (10a) character- 
ized by: 

a user computer (11) comprising a commu- 
nication program (32) including a multiple logon 
procedure (16) that is adapted to communicate 
with a remote computer (13) and that employs a 
secure transport layer protocol that permits se- 
cure file transfer between computers of the dis- 
tributed computing system (10). and that com- 
prises a stored file (19a) including a user identi- 
fication code and an encrypted password (30) 
that permits access to the remote computer (13) 
from the user computer (11); 

a remote computer (13) comprising a com- 
munication program (35) that is adapted to re- 
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spond the the communication program (32) on 
the user computer (11) and that employs the se- 
cure transport layer protocol (16), and that com- 
prises a stored file (19b) including a user identi- 
fication code and an encrypted password (30) 
that permits access to the remote computer ("(3); 

a network (20) Interconnecting the user 
computer (11) and the remote computer (13); 

and wherein a service request entered 
from the user computer (11) Is processed by the 
multiple logon procedure (16) which accesses 
the stored file that contains the user identifica- 
tion code and encrypted password (30), decrypts 
the encrypted password (30) of the remote com- 
puter (13), transfers the identification code and 
decrypted password (30) to the remote computer 
(13). and logs the user computer (11) onto the re- 
mote computer (13). 

2, The distributed computing system (1 0) of Claim 1 
which is further characterized by: 

a multiple logon server (12) coupled to the 
network (20) and interposed between the user 
computer (1 1 ) and the remote computer (1 3) that 
comprisas a multiple logon procedure (16) nnd 
communication program that is adapted to com- 
municate with the user computer (11 ) and the re- 
mote computer (1 3). and that comprises a stored 
file including a user identification code and an en- 
crypted password that permits access to the re- 
mote computer (13) from the user computer (11), 
and that employs the secure transport layer pro- 
tocol. 

3. The distributed computing system (10) of Claim 1 
wherein the multiple logon procedure (16) per- 
formed in the multiple logon server (12) is char- 
acterized by the steps of: 

for each usbc encrypting user passwords 
(30) for each computer in the distributed comput- 
ing system (10); 

storing a file (19) on a predetermined com- 
puter of the network that comprises each user 
identification code and encrypted passwords 
(30)for all computers In the distributed computing 
system (10); 

processing service requests (42) for ser- 
vices provided by a selected computer In the sys- 
tem (10) by means of a secure transport layer 
protocol that perrm'tssecuref ile transfer between 
computers in the distributed system (10); 

processing the service requests (42) us- 
ing a multiple logon procedure (16); 

accessing the stored file (1 9) that con teins 
the user Identification codes and encrypted pass- 
words (30); 

accessing the remote computer (13) and 
entering a user identification code and password 



TO 



(30) for that computer (13); 

and wherein the remote computer (13) in- 
teracts with the multiple logon procedure (16) 
and user identification code and password file 
(19), and the multiple logon procedure (16) de- 
crypts the encrypted password (30) for the par- 
ticular requested computer and logs the user onto 
that computer (13). 



4. The distributed computing system (1 0) of Claim 2 
wherein the multiple logon procedure (16) per- 
formed in the multiple logon server (12) are char- 
acterized by the steps of: 

15 for each user, encrypting user passwords 

(30) for each computer in the distributed comput- 
ing system (1 0); 

storing a file (19) on a predetermined com- 
puter of the network that comprises each user 
20 identification code and encrypted passwords 
(30) for all computers in the distributed computing 
system (10); 

processing service requests (42) for ser- 
vices provided by a selected computer (13) in the 
25 system by means of a secure transport layer pro- 
tocol that permits secure file transfer between 
computers in the distributed system (10); 

processing the service requests (42) us- 
ing a multiple logon procedure (16); 
$0 accessing the stored file (19) that contains 

the user identification codes and encrypted pass- 
words (30); 

accessing the remote computer (13) and 
enters a user Identification code and password 
35 (30) for that computer (1 3); 

and wherein the remote computer (13) in- 
teracts with the multiple logon procedure (16) 
and user identification code and password file 

(19) , and the multiple logon procedure (16) de- 
40 crypts the encrypted password (30) for the par- 
ticular requested computer (13) and logs the user 
onto that computer (13). 

5. A method of authenticating users In a distributed 
45 computing system (10) comprising a plurality of 

computers Interconnected by way of a network 

(20) , said method comprising the steps of: 

for each user, encrypting user passwords 
(30) for each computer In the distributed compul- 
se? ing system (10); 

storing a file (19) on a predetermined com- 
puter of the network that comprises each user 
Identification code and encrypted passwords 
(30) for all computers in the distributed computing 
ss system (10); 

processing service requests (42) for ser- 
vices provided by a selected computer (1 3) in the 
system (10) by means of a secure transport layer 
protocol that permits secure file transferbetween 
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computers in the distributed system (10); 

processing the service requests (42) us- 
ing a multiple logon procedure (16); 

accessing the stored file (19) thatcontaJns s 
the user identification codes and encrypted pass- 
words (30); 

accessing the remote computer (13) tmd 
enters a user identification coda and password 
for that computer, 10 

and wherein the remote computer (13) In- 
teracts with the multiple logon procedure (16) 
and user identification code and password rile 
(19), and the multiple logon procedure (16) de- 
crypts the encrypted password (30) for the par- is 
tlcular requested computer (14) and logs the user 
onto that computer (13). 

8. A method of authenticating users in a distributed 
computing system (10) comprising a plurality of 20 
workstations (11) and remote computers (13) in- 
terconnected by way of a network (20) and a ser- 
ver (12) Interposed between the workstations 
(11) and the remote computers (13), said method 
comprising the steps of; z$ 

storing a file (19) on the server (12) that 
comprises each user identification code and en- 
crypted passwords (30) for all computers in the 
distributed computing system (10); 

providing a predetermined multiple logon so 
procedure (16) that operates on a workstation 
(11 ) that Is adapted to Interface between a work- 
station (11) and a plurality of remote computers 
(13); 

using the multiple logon procedure (1 6) to 35 
generate a service request (42) at the worksta- 
tion (11) for a service available at a remote com- 
puter (13) and transmit the service request (42) 
to the server (1 2) using a predetermined commu- 
nication protocol; *o 

determining whether a user is connected 
to the server (12). and if the user is connected to 
the server (12), transmitting an authorizalion 
message (44) to the workstation (11); 

using the multiple logon procedure (1 6) to 4$ 
send a service connect request (46) from the 
workstation (11) to the remote computer (131 to 
connect the workstation (11) to the remote com- 
puter^); 

requesting (48) entry of a user ID and so 
password (30) from the workstation (11); 

using the multiple logon procedure (16) to 
send (49) an appropriate user ID and password 
(30) from the workstation (11) to the remote com- 
puter (1 3) to establish connection therebetween; 55 

if the user workstation is not connected to 
the server (12), then the server (12) requests au- 
thentication (52) from the workstation (11); 

using the multiple logon procedure (16) to 



process the authorization request (52) and re- 
trieve (53) an appropriate user ID and password 
(30) from the file (19) and send a connect request 
(54) to the server (12); 

upon receipt of the proper user ID and 
password (30), the server (12) sends a service 
connect message (55) to the workstation and 
connection is established therebetween; 

if the service request Is accepted, the mul- 
tiple logon procedure (16) waits for a new re- 
quest; 

if the service request is not accepted, the 
multiple logon procedure (16) rejects the user 
and wafts for the user to initiate an appropriate 
service authorization request (42). 
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